Name and contact details of the controller as per Article 4, paragraph 7, GDPR
Company: Hotel Garni Sonne
Simone Schmid, MBA
Address: Franz-Senn-Str. 164, 6167 Neustift im Stubaital, Austria
Security and protection of your personal data
We consider it to be our prime responsibility, to maintain confidentiality about the personal data you have provided, and to protect the data from unauthorised access. Consequently, we take the greatest care and apply the latest security standards to guarantee the maximum protection of your personal data.
As a corporation under private law, we are subject to the provisions of the European General Data Protection Regulation (GDPR) and the provisions of the Federal Data Protection Act (BDSG). We have taken technical and organizational measures to ensure that the provisions about data privacy are observed by us as well as our external service providers.
The legislature requires personal data to be processed in a legal manner, in good faith, and in a manner which is transparent for the data subject (“Legality, processing in good faith, transparency”). To guarantee this, we are hereby notifying you about the individual definitions which are also used in this data privacy declaration:
1. Personal data
“Personal data” is all information, which refers to an identified or identifiable natural people (hereinafter “data subjects”); a natural person is deemed to be identifiable, if the person can be identified, directly or indirectly, in particular by allocating them an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics, which are an expression of the physical, physiological, genetic, mental, financial, cultural or social identity of these natural people.
“Processing” is any action executed with or without the aid of an automated procedure, or any set of actions associated with personal data, such as the collection, compiling, organisation, organization, saving, adjustment or modification, the reading, requesting, use, disclosure by transfer, distribution or another form of provision, the comparison or linking, restriction, deletion or destruction.
3. Restriction of processing
The “restriction of processing” is the marking of saved personal data with the aim of restricting its future processing.
“Profiling” is any form of automated processing of personal data, that uses this personal data to evaluate particular personal aspects, which refer to a natural person, in particular to analyse or predict aspects concerning work performance, the financial situation, health, personal preferences, interests, reliability, behaviour, place of stay or change of location of this natural person.
“Pseudonymising” is the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without adding extra information, provided this extra information is stored separately and is subject to technical and organizational measures which guarantee that the personal data cannot be allocated to an identified or identifiable natural person.
6. File system
A “file system” is any structured collection of personal data, which is accessible according to the specified criteria, regardless of whether this collection is kept centrally, de-centrally or based on functional or geographical aspects.
The “controller” is a natural or legal person, public authority or other body which establishes the purpose and method of data processing, alone of together with other actors; if the purpose and method of this processing is specified by European Union law or the law of the Member States, the controller can specify the particular criteria either according to European Union law or the law of the Member States.
The “processor” is a natural or legal person, public authority or other body which processes personal data on behalf of the controller.
The “recipient” is a natural or legal person, public authority or other body which is disclosed the personal data, regardless of whether it is a third party or not. Authorities which may receive personal data within the scope of a particular order to conduct an enquiry according to the law of the European Union, or the law of a Member States, but are not the recipient; the processing of this data by the afore-mentioned authorities is done in accordance with the applicable data protection provisions, in according to the purpose of the processing.
10. Third parties
A “third party” is a natural or legal person, public authority or other body, except for the data subject, the controller, the processor and the people who are authorised to process the personal data under the direct responsibility of the controller.
“Consent” from the data subject is any informed, unambiguous and freely given permission from the data subject, in the form of a declaration or any other statements made, whereby the data subject understands indicates that he/she agrees to the processing of his/her personal data.
Legality of processing
The processing of personal data is only lawful if there is a legal basis for the processing. In particular, the legal basis for the processing could be, in accordance with Article 6, paragraph 1
lit a-f, GDPR:
a. If the data subject has given its consent for the processing of its personal data for one or more intended purposes;
b. If the processing is necessary for the execution of a contract, where the data subject is a contract partner, or for the performance of pre-contractual measures, which are implemented at the request of the data subject;
c. If the processing is necessary to fulfil a legal obligation, which the controller is subject to;
d. If the processing is necessary to protect vital interests of the data subject or another natural person;
e. If the processing is necessary to perform a task, which lies in the public interest or in the execution of official authority, which has been transferred to the controller;
f. If the processing is necessary to protect the justified interests of the controller or a third party, provided the interests or fundamental rights and freedoms of the data subject, who requires the protection of personal data, do not take precedence, in particular if the data subject is a child.
Information about the collection of personal data
(1) Please find below information about the collection of personal data when using our website. Personal data incudes the name, address, e-mail address, and data about user behaviour.
(2) In the event that you get in contact with us by e-mail or via a contact form the data you provide (your e-mail address and, if applicable, your name and telephone number) is saved by us to reply to your queries. We delete the data accumulated in this context once the storage of this data is no longer necessary, or the processing is restricted if legal storage obligations exist.
The collection of personal data when visiting our website
When just using the website for information purposes, i.e. if you do not register or transfer any other information to us, we only collect the personal data which your browser sends to our server. If you want to view our website, we will collect the following data, which is technically necessary for us to show you the website and to guarantee stability and security (the legal basis for this is Art. 6, paragraph 1, lit. 1f, GDPR):
• IP address
• Date and time of the request
• Time zone difference to Greenwich Mean Time (GMT)
• Content of the request (specific page)
• Access status/HTTP status code
• The data quantity transferred
• The website from which the request came
• Operating system and its interface
• Language and version of the browser software.
(1) In addition to the afore-mentioned data, cookies are saved on your computer when using our website. Cookies are small text files, which are saved on your hard drive by your browser, and whereby the party that sets the cookie receives certain information. Cookies cannot execute any programs or transfer viruses to your computer. They are used to make the internet offer more user-friendly and effective as a whole.
(2) This website uses the following types of cookies, the scope and functioning of which is mentioned in the following:
• Transient cookies (including)
• Persistent cookies (including)
a. Transient cookies are automatically deleted, when you close the browser: This includes, in particular, session cookies. They save a so-called session ID, whereby various requests of your browser can be allocated to the joint session. This allows your computer to recognise when you return to our website. The session cookies are deleted when you log out or close the browser.
b. Persistent cookies are automatically deleted after a specified period of time, which can vary depending on the cookie. You can delete the cookies at any time in the safety settings of your browser.
c. You can configure your browser settings as you wish and,
for example, reject the acceptance of third party cookies or all cookies. So-called “third party cookies” are cookies which are set by a third party, consequently they are not set by the website you are actually on. We would like to point out that you may not be able to use all of the functions of this website if you deactivate cookies.
Further functions and offers of our website
(1) In addition to the use of our website for pure informational purposes, we offer various services which you can use if interested. To do so, you normally have to provide further personal data, which we use to perform the respective service and for which the afore-mentioned data processing principles apply.
(2) Sometimes we use external service providers for the processing of your data. They have been carefully selected and commissioned by us, are bound by our instructions and undergo regular checks.
(3) Furthermore, we can transfer your personal data to third parties, if we offer participation in campaigns, competitions, the conclusion of contracts or similar services, together with partners. You can receive further information about this, by stating your personal data or below in the description of the offer.
(4) If your service provider or partner has their place of residence in a state outside of the European Economic Area (EEA), we will notify you about the consequences of this in the offer description.
Our offer is generally aimed at adults. People under the age of 18 should not transfer any personal data to us without the consent of their parents or guardian.
Rights of the data subject
(1) Revoking consent
If the processing of personal data is based on consent that you have provided, you have the right, at any time, to revoke the consent. By revoking the consent, the legality of the processing based on your consent, is not affected.
You can contact us at any time to assert the right of revocation.
(2) Right to confirmation
You have the right to request confirmation from the controller about whether we process personal data about your person. You can request the confirmation at any time, using the afore-mentioned contact details.
(3) Right of information
If personal data is processed, you can request information at any time about this personal data, and the following information:
a. the purposes of processing;
b. the categories of personal data which are processed;
c. the recipient or categories of recipients, to whom personal data has been disclosed or is still disclosed, in particular recipients in third countries or international organisations;
d. if possible, the planned duration for which the personal data should be saved or, if this is not possible, the criteria to specify this duration;
e. the existence of a right to the correction or deletion of personal data about you, or to the restriction of the processing by the controller, or a right of objection against this processing;
f. the existence of a right of complaint to a supervisory authority;
g. if the personal data is not collected from the data subject, all available data about the origin of the data;
h. the existence of automatic decision-making, including profiling, as per Article 22, paragraphs 1 and 4, GDPR and – at least in these cases – meaningful information about the involved logic as well as the reach and desired effects of this kind of processing for the data subject.
If personal data is transferred to a third country or an international organisation, you have the right to be notified about suitable guarantees as per Article 46, GDPR associated with the transfer. We provide a copy of the personal data, which is subject to processing. For all other copies which you request personally, we can request suitable remuneration on the basis of handling costs. If you make a request electronically, the information is to be provided in a popular electronic format, provided nothing else is stated. The right to receive a copy as per paragraph 3, must not affect the rights and freedoms of other people.
(4) Right to correction
You have the right to request the correction of affected incorrect personal data by us immediately. Taking into account the purpose of the processing, you have the right to request the completion of incomplete personal data – also by a supplementary statement.
(5) Right to deletion (“right to be forgotten”)
You have the right to request, from the controller, that the affected personal data be immediately deleted, and we are obliged to delete personal data immediately if one of the following reasons applies:
a. The personal data is no longer necessary for the purpose which it was collected for, or processed in any other way.
b. The affected person revokes the consent, on which the processing as per Article 6, paragraph 1a, or Article 9, paragraph 2a GDPR, and there is no other legal basis for the processing.
c. The affected person submits an objection as per Article 21, paragraph 1, GDPR against the processing and there are no overriding justified reasons for the processing, or the data subject submits an objection against the processing as per Article 21, paragraph 2, GDPR.
d. The personal data was unlawfully processed.
e. The deletion of personal data is necessary to fulfil a legal obligation according to the Law of the European Union, or the law of the Member State, which the controller is subject to.
f. The personal data was collected with regards to the offered services of the information society as per Article 8, paragraph 1, GDPR.
If the controller has published the personal data and is under obligation, as per paragraph 1, to delete it, then it should take suitable measures, considering the available technology and the implementation costs, including technical measures, to notify the controller of the data processing, who processes the personal data, that a data subject of it has requested the deletion of all links to its personal data, or copies or replications of this personal data.
The right to deletion (“right to be forgotten”) does not exist if the processing is necessary:
• to assert the right to freedom of expression and information;
• to fulfil a legal obligation which requires processing according to the law of the European Union or the Member States, which the controller is subject to, or to perform a task which lies in the public interest or in executing an official order, which was transferred to the controller;
• for reasons of public interest regarding public health, as per Article 9, paragraph 2 lit. h and i, as well as Article 9, paragraph 3, GDPR.
• for archiving purposes which are in the public interest, for scientific or historic research purposes, or for statistical purposes as per Article 89, paragraph 1, GDPR, if the right mentioned in paragraph 1 is likely to makes it impossible to achieve the goals of this processing or seriously affects it, or
• to assert, exercise or defend against legal claims.
(6) Right to restrict processing
You have the right to request the restriction of the processing of your personal data, if one of the following prerequisites exists:
a. the correctness of the personal data of the data subject is contested, for a period of time which allows the controller to check the correctness of the personal data,
b. the processing is unlawful and the data subject rejects the deletion of the personal data, and instead requests the restriction of the use of personal data;
c. the controller no longer requires the personal data for processing purposes, although the data subject needs it to assert, exercise or defend against legal claims, or
d. the data subject has submitted an objection against the processing as per Article 21, paragraph 1, GDPR, providing it has not yet been determined whether the justified reasons of the controller outweigh those of the data subject.
If the processing has been restricted as per the afore-mentioned prerequisites, this personal data will only be processed – apart from its saving – with the consent of the data subject or for the assertion, exercising or defending against legal claims, or to protect the rights of another natural or legal person, or for reasons which are of important public interest of the EU or a Member State.
To assert the right to restrict the processing, the data subject can contact us at any time using the contact data provided above.
(7) Right to data transferability
You have the right to receive the personal data about your person, which you have provided to us, in a structured, popular and machine-readable format, and you have the right to transfer this data to another controller without any restriction from the controller, who was provided with the personal data, as long as:
a. the processing is based on consent as per Article 6, paragraph 1a or Article 9, paragraph 2a or a contract as per Article 6, paragraph 1b, GDPR, and
b. the processing is done using an automatic procedure.
When asserting the right to data transferability as per paragraph 1, you have the right to ensure that the personal data is transferred directly from one controller to another controller, provided this is technically feasible. The assertion of the right to data transferability does not affect the right to deletion (the “right to be forgotten”). This right does not apply to processing which is necessary to perform a task, which lies in the public interest or was done in the exercise of official authority, which was transferred to the controller.
(8) Right of objection
You have the right to submit an objection at any time, for reasons which arise from our special situation, against the processing of the personal data about your person, which is done based on Article 6, paragraph 1e or f, GDPR; this also applies for profiling based on these provisions. The controller no longer processes the personal data, unless it can prove mandatory protectable reasons for the processing, which outweigh the interests, rights and freedoms of the data subject, or if the processing is done for the assertion, exertion or defence against legal claims.
If personal data is processed to run direct advertising, you have the right to submit an objection, at any time, against the processing of personal data concerning your person for the purpose of this advertising; this also applies to profiling, if it is done in connection with direct advertising. If you object to the processing for purposes of direct advertising, the personal data is no longer processed for these purposes.
In connection with the use of the services of information societies, you can assert your right of objection automatically, regardless of Directive 2002/58/EC, using an automated procedure, whereby technical specifications are used.
You have the right to submit an objection for reasons which arise from your special situation, against the processing of personal data concerning your person, which is done for scientific or historic research purposes, or for statistical purposes, in accordance with Article 89, paragraph 1, unless the processing is necessary to fulfil a task which lies in the public interest.
You can assert the right of objection at any time, by contacting the respective controller.
(9) Automated decisions in individual cases, including profiling
You have the right not to be subject to a decision which is not exclusively based on automatic processing – including profiling – which affects you legally, or considerably affects you in a similar way. This does not apply, if the decision:
a. is necessary for the conclusion or fulfilment of a contract between the data subject and the controller,
b. is permissible based on the legal provisions of the European Union or the Member State, which the controller is subject to, and these legal provisions contain suitable measures to protect the rights and freedoms, as well as the justified interests of the controller, or
c. is made with the explicit consent of the affected person.
The controller shall take suitable measures to protect the rights and freedoms, and the justified interests, of the affected person, at least the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.
The data subject can exert this right at any time, by contacting the controller.
(1) The right to complain to supervisory authorities
You also have the right, regardless of any other administrative or judicial remedy, the right to complain to a supervisory authority, in particular in the Member State in which you reside, where you place of work is or where the place of alleged violation took place, if the data subject believes that the processing of the personal data about its person violates this regulation.
(11) The right to effective judicial remedy
Regardless of available administrative or judicial remedy, including the right to complain to supervisory authorities as per Article 77 GDPR, you have the right to effective judicial remedy, if the authorities are of the opinion that the rights you are entitled to based on this regulation were violated due to the processing of your personal data in a way which was not in accordance with this regulation.
(12) Memory and storage periods
We save your data according to the tax law storage obligation as per Section 132, paragraph 1, Federal Fiscal Code (BAO),
i.e. 7 years starting from the last contact. For longer if it is of importance in pending
proceedings for the fiscal authorities.
The use of Google Analytics
(1) This website uses Google Analytics, a web analysis service of Google Inc. (“Google”). Google Analytics uses so-called “cookies”, text files which are saved on your computer and which allow the analysis of your use of the website. The information generated by the cookie about your use of this website, is normally transferred to a server of Google in the USA and saved there. In the event of the activation of IP anonymisation on this website, your IP address is first shortened by Google within a Member State of the European Union or in other EEC countries. Only in exceptions is the full IP address transferred to a server of Google in the USA and saved there. On behalf of the operator of this website, Google uses this information to evaluate your use of the website, to compile reports about the website activities and to perform services associated with the use of the website for the website operator.
(2) The IP address transferred as part of Google Analytics by your browser is not compiled with other data of Google.
(3) You can prevent the saving of cookies by making a corresponding setting in your browser software; we would, however, like to point out that if you do so, not all functions of this website may be able to be used in full. Furthermore, you can prevent the acquisition of the data generated by the cookie and related to your use of the website (incl. your IP address) to Google, by downloading and installing the browser plug-in available at the following link: http://tools.google.com/dlpage/gaoptout?hl=en.
(4) This website uses Google Analytics with the add-on “_anonymizeIp()”. Consequently, IP addresses are processed in abbreviated form, thereby ruling out a connection to a particular person. If the data compiled about you has a personal reference, this will be removed immediately and the personal data therefore immediately deleted.
(5) We use Google Analytics, to be able to analyse and regularly improve the use of our website. Using the statistics we have obtained, we can improve our offer and make it more interesting for you as the user. For exceptional cases, where personal data is transferred to the USA, Google has subjected itself to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework. The legal basis for the use of Google Analytics is Art. 6 paragraph 1 (1) lit. f, GDPR.
(6) Information about the third party: Google Dublin, Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland, Fax: +353 (1) 436 1001. Terms of service:
(7) This website also uses Google Analytics to analyse incoming visitor flows across devices, who use the same user ID. You can deactivate the cross-device analysis of your use in your customer account under “My Data”, “Personal data”.
The use of social media plug-ins
We currently use the following social media plug-ins: [Facebook, Google+, Twitter, Xing, T3N, LinkedIn, Flattr]. We use the so-called two-click solution. That means, when you visit our page, generally no personal data is sent to the provider of the plug-in at first. You can see the provider of the plug-in by the marking on the box above the first letter, or the logo. We give you the chance to communicate directly with the provider of the plug-in using this button. Only if you click on the marked field and thereby activate it, does the plug-in provider receive the information that you have accessed the corresponding page of our online offer. In addition, the data stated in Section 3 of this statement are transferred. In the case of Facebook and Xing, the IP address is anonymised immediately by the respective provider in Germany. By activating the plug-in, personal data is therefore sent by you to the respective plug-in provider and saved there (with American providers this is done in the USA). As the plug-in provider collects data, in particular using cookies, we recommend deleting all cookies in the safety settings of your browser before clicking on the grey box.
(2) We have no influence on the data collected and the data processing flows and are also not aware of the full scope of data collection, the purposes of the collection and the storage periods. We also have no information about the deletion of the collected data by the plug-in provider.
(3) The plug-in provider saves the data it has collected about you as a user profile, and uses this for the purposes of advertising, market research and/or to design its website to be user-friendly. An evaluation of this kind is done in particular (even for users who are not logged in) to display needs-based adverts and to notify other uses of the social network about your activities on our website. You are entitled to a right of objection against the formation of this user profile, whereby you have to contact the respective plug-in provider to assert this. Via the plug-in we give you the chance to interact with the social networks and other users, so that we can improve our offer and make it more interesting for you. The legal basis for the use of the plug-in is Art. 6 paragraph 1 (1) lit. f, GDPR.
(4) The data transfer is done regardless of whether you have an account with the plug-in provider and are logged in. If you are logged in with the plug-in provider, the data we have collected about you will be directly allocated to your account with the plug-in provider. If you press the activated button and, for example, link the page, the plug-in provider also saves this information in your user account and shares it publically with your contacts. We recommend regularly logging out of a social network after using it, in particular, however, before pressing the button, as by doing so you can avoid an allocation to your account with the plug-in provider.
(5) Further information about the purpose and scope of the data collection, and its distribution by the plug-in provider, can be found in the following data privacy statements of this providers. There you will also find further information about your associated rights and the setting options to protect your privacy.
(6) Addresses of the respective plug-in providers as well as the URL, with their data privacy guidelines:
a. Facebook Inc., 1601 S California Ave, Palo Alto, California 94304, USA; http://www.facebook.com/policy.php; more information about the collection of data: http://www.facebook.com/help/186325668085084, http://www.facebook.com/about/privacy/your-info-on-other#applications as well as http://www.facebook.com/about/privacy/your-info#everyoneinfo. Facebook has certified to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
b. Google Inc., 1600 Amphitheater Parkway, Mountainview, California 94043, USA; https://www.google.com/policies/privacy/partners/?hl=en. Google has certified to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
c. Twitter, Inc., 1355 Market St, Suite 900, San Francisco, California 94103, USA; https://twitter.com/privacy. Twitter has certified to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
d. Xing AG, Gänsemarkt 43, 20354 Hamburg, Germany; http://www.xing.com/privacy.
e. T3N, yeebase media GmbH, Kriegerstr. 40, 30161 Hannover, Deutschland; https://t3n.de/store/page/datenschutz.
f. LinkedIn Corporation, 2029 Stierlin Court, Mountain View, California 94043, USA; http://www.linkedin.com/legal/privacy-policy. LinkedIn has certified to the EU-US-Privacy-Shield, https://www.privacyshield.gov/EU-US-Framework.
g. Flattr Network Ltd. with its office at 2nd Floor, White Bear Yard 114A, Clerkenwell Road, London, Middlesex, England, EC1R 5DF, Great Britain; https://flattr. com/privacy.]
Inclusion of Google Maps
(1) We use the Google Maps service on this website. This allows us to show interactive maps directly in the website and allows you to easily use the maps function.
(2) By visiting the website, Google receives information that you have accessed the corresponding sub-page of our website. In addition, the data stated in Section 3 of this declaration is also transferred. This is done regardless of whether Google provides a user account on which you are logged in, or whether a user account does not exist. If you are logged in with Google, your data is allocated directly to your account. If you do not want the data to be allocated to your profile with Google, you must log out before pressing the button. Google saves your data as a user profile, and uses it for the purposes of advertising, market research and/or to design its website to meet the needs of users. An evaluation of this kind is done in particular (even for users who are not logged in) to provide needs-based advertising and to notify other users of the social network about your activities on our website. You are entitled to a right of objection against the formation of these user profiles, which you have to address to Google.
(3) Further information about the purpose and scope of the data acquisition by the plug-in provider can be found in the data privacy statements of the providers. There you can also find more information about your association rights and setting options to protect your privacy: http://www.google.de/intl/de/policies/privacy. Google also processes your personal data in the USA and is certified to the EU-US Privacy Shield, https://www.privacyshield.gov/EU-US-Framework.
We use external service providers (processors), for example, for the delivery of goods, the newsletter or to process payments. A separate data processing agreement has been concluded with the service provider, to guarantee the protection of your personal data.
We cooperate with the following service providers:
List of all service providers:
• Julia Erb, die WEBSEITEREI e.U.
Baumannstr. 6/11, 1030 Vienna
• ILONGO, internet- & werbeagentur gmbH